File s390-tools-sles11sp3-lszcrypt-cex4-support.patch of Package s390-tools
Subject: [PATCH] [FEAT SEC1101] lszcrypt: Add support for CEX4 crypto cards
From: Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com>
Summary: lszcrypt: Add support for CEX4 crypto cards
Description: CEX4 crypto cards are now supported by lszcrypt and chzcrypt.
Card capabilities and pending request counters are displayed
in verbose level 3.
Upstream-ID: -
Problem-ID: SEC1101
Signed-off-by: Ingo Tuchscherer <ingo.tuchscherer@de.ibm.com>
---
zconf/chzcrypt | 3 +
zconf/lszcrypt | 131 +++++++++++++++++++++++++++++++++++++++++++++++--------
zconf/lszcrypt.8 | 89 ++++++++++++++++++++++++++++---------
3 files changed, 183 insertions(+), 40 deletions(-)
--- a/zconf/chzcrypt
+++ b/zconf/chzcrypt
@@ -246,6 +246,9 @@ for DEV in $DEV_LIST ; do
echo "$CMD: error - cryptographic adapter $CARD does not exist!" >&2
exit 1
fi
+ if [ ! -w $DEV/online ] ; then
+ continue
+ fi
verbose "Setting cryptographic adapter $CARD $ONLINE_TEXT."
echo $ONLINE > "$DEV/online" 2> /dev/null
if [ "$( cat $DEV/online )" != "$ONLINE" ] ; then
--- a/zconf/lszcrypt
+++ b/zconf/lszcrypt
@@ -1,6 +1,6 @@
#!/bin/bash
#==============================================================================
-# Copyright IBM Corp. 2008.
+# Copyright IBM Corp. 2012.
#
# lszcrypt
#
@@ -8,6 +8,7 @@
#
# Author(s): Ralph Wuerthner <rwuerthn@de.ibm.com>
# Felix Beck <felix.beck@de.ibm.com>
+# Holger Dengler <hd@linux.vnet.ibm.com>
#
# This file is part of s390-tools
#
@@ -28,17 +29,29 @@
CMD="$( basename $0 )"
+CAP_RSA2K="RSA 2K Clear Key"
+CAP_RSA4K="RSA 4K Clear Key"
+CAP_CCA="CCA Secure Key"
+CAP_RNG="Long RNG"
+
+let MASK_RSA4K=0x60000000
+let MASK_COPRO=0x10000000
+let MASK_ACCEL=0x08000000
+
function print_usage() {
cat <<-EOF
Usage: $CMD [<options>] [<cryptographic adapter ids>]
+ $CMD -c|--capability <cryptographic adapter id>
Display zcrypt device and configuration information.
<options>
-b|--bus
Show AP bus attributes and exit.
+ -c|--capability <cryptographic adapter id>
+ Shows the capabilities of a cryptographic adapter.
-V|--verbose
Increase verbose level for cryptographic adapter information. Maximum
- verbose level is two.
+ verbose level is three.
-v|--version
Show version information and exit.
-h|--help
@@ -46,14 +59,14 @@ function print_usage() {
<cryptographic adapter ids>
List of cryptographic adapter ids separated by blanks which will be displayed.
- If not ids are given all available adapters are displayed.
+ If no ids are given all available adapters are displayed.
EOF
}
function print_version() {
cat <<-EOF
$CMD: version %S390_TOOLS_VERSION%
- Copyright IBM Corp. 2007
+ Copyright IBM Corp. 2012
EOF
}
@@ -89,6 +102,65 @@ show_bus() {
fi
}
+show_capability() {
+ CARD="$( printf "card%02x" "$1" 2> /dev/null )"
+ DEV=$SYSFS/devices/ap/$CARD
+ if [ ! -d $DEV ] ; then
+ echo "$CMD: error - cryptographic adapter $CARD does not exist!" >&2
+ exit 1
+ fi
+ HWTYPE="$( cat $DEV/hwtype 2> /dev/null )"
+ FUNCS="$( cat $DEV/ap_functions 2> /dev/null )"
+ # If sysfs attribute is missing, set functions to 0
+ if [ "x"$FUNCS == "x" ] ; then
+ FUNCS="0x00000000"
+ fi
+ # skip devices, which are not supported by zcrypt layer
+ if [ ! -r $DEV/type -a ! -r $DEV/online ] ; then
+ CAPS="Detailed capability information for $CARD"
+ CAPS+=" (hardware type $HWTYPE) is not available."
+ echo -e $CAPS
+ return;
+ fi
+ let FUNC_VAL=$FUNCS
+ CAPS="$CARD provides capability for:\n"
+ case $HWTYPE in
+ 6|8)
+ if (( FUNC_VAL&$MASK_RSA4K )) ; then
+ CAPS+="$CAP_RSA4K"
+ else
+ CAPS+="$CAP_RSA2K"
+ fi
+ ;;
+ 7|9)
+ CAPS+="$CAP_RSA4K\n"
+ CAPS+="$CAP_CCA\n"
+ CAPS+="$CAP_RNG"
+ ;;
+ 10)
+ if (( FUNC_VAL&$MASK_ACCEL )) ; then
+ if (( FUNC_VAL&$MASK_RSA4K )) ; then
+ CAPS+="$CAP_RSA4K"
+ else
+ CAPS+="$CAP_RSA2K"
+ fi
+ elif (( FUNC_VAL&$MASK_COPRO )) ; then
+ CAPS+="$CAP_RSA4K\n"
+ CAPS+="$CAP_CCA\n"
+ CAPS+="$CAP_RNG"
+ else
+ CAPS="Detailed capability information for $CARD"
+ CAPS+=" (hardware type $HWTYPE) is not available."
+ fi
+ ;;
+ *)
+ CAPS="Detailed capability information for $CARD"
+ CAPS+=" (hardware type $HWTYPE) is not available."
+ ;;
+ esac
+ echo -e $CAPS
+}
+
show_device() {
CARD="$1"
DEV="$SYSFS/bus/ap/devices/$CARD"
@@ -96,37 +168,48 @@ show_device() {
echo "$CMD: error - cryptographic adapter $CARD does not exist!" >&2
exit 1
fi
- if [ -r $DEV/type ] ; then
- TYPE="$( cat $DEV/type 2> /dev/null )"
- else
- TYPE=unknown
+ if [ ! -r $DEV/type -a ! -r $DEV/online ] ; then
+ # skip devices, which are not supported by zcrypt layer
+ return;
fi
- if [ -r $DEV/online ] ; then
- if [ "$( cat $DEV/online 2> /dev/null )" -eq 0 ] ; then
- ONLINE=offline
- else
- ONLINE=online
- fi
+ TYPE="$( cat $DEV/type 2> /dev/null )"
+ if [ "$( cat $DEV/online 2> /dev/null )" -eq 0 ] ; then
+ ONLINE=offline
else
- ONLINE=unknown
+ ONLINE=online
fi
case $VERBOSE in
0) echo "$CARD: $TYPE"
;;
1) printf "%s: %-11s %-7s\n" $CARD $TYPE $ONLINE
;;
- *)
+ 2)
HWTYPE="$( cat $DEV/hwtype 2> /dev/null )"
DEPTH="$( cat $DEV/depth 2> /dev/null )"
REQ_CNT="$( cat $DEV/request_count 2> /dev/null )"
printf "%s: %-11s %-7s hwtype=%-2d depth=%d request_count=%-10d\n" \
$CARD $TYPE $ONLINE $HWTYPE $DEPTH $REQ_CNT
+ ;;
+ *)
+ HWTYPE="$( cat $DEV/hwtype 2> /dev/null )"
+ DEPTH="$( cat $DEV/depth 2> /dev/null )"
+ REQ_CNT="$( cat $DEV/request_count 2> /dev/null )"
+ REQQ_CNT="$( cat $DEV/requestq_count 2> /dev/null )"
+ PENQ_CNT="$( cat $DEV/pendingq_count 2> /dev/null )"
+ FUNCS="$( cat $DEV/ap_functions 2> /dev/null )"
+ FMT="%s: %-11s %-7s hwtype=%-2d depth=%d"
+ FMT+=" request_count=%d pendingq_count=%d requestq_count=%d"
+ FMT+=" functions=%-10s\n"
+ printf "$FMT" \
+ $CARD $TYPE $ONLINE $HWTYPE $DEPTH \
+ $REQ_CNT $PENQ_CNT $REQQ_CNT \
+ $FUNCS
esac
}
# Parse command line
-TEMP=`getopt -o bhvV \
- --long bus,help,version,verbose \
+TEMP=`getopt -o bchvV \
+ --long bus,capability,help,version,verbose \
-n "$CMD" -- "$@"`
if [ $? != 0 ] ; then
exit 1
@@ -139,6 +222,8 @@ while true ; do
case "$1" in
-b|--bus) SHOW_BUS=1
shift;;
+ -c|--capability) SHOW_CAPABILITY=1
+ shift;;
-h|--help) print_usage
exit 0;;
-v|--version) print_version
@@ -168,7 +253,15 @@ fi
if [ -n "$SHOW_BUS" ] ; then
show_bus
exit 0
-fi
+fi
+
+if [ -n "$SHOW_CAPABILITY" ] ; then
+ if [ $# -ne 1 ] ; then
+ invalid_cmdline "capability option requires a single cryptographic device id"
+ fi
+ show_capability $@
+ exit 0
+fi
if [ $# -eq 0 ] ; then
DEVLIST="$( find $SYSFS/bus/ap/devices -name 'card*' -printf '%f\n' | sort )"
--- a/zconf/lszcrypt.8
+++ b/zconf/lszcrypt.8
@@ -4,11 +4,15 @@ lszcrypt \- display zcrypt device and co
.SH SYNOPSIS
.TP 9
.B lszcrypt
-.RB "[ " -V " | " -VV " ] "
+.RB "[ " -V " | " -VV " | " -VVV " ] "
[
.I <device id>
[...]]
.TP
+.B lszcrypt
+.B -c
+<device id>
+.TP
.B lszcrypt -b
.TP
.B lszcrypt -h
@@ -18,50 +22,93 @@ lszcrypt \- display zcrypt device and co
The
.B lszcrypt
command is used to display information about cryptographic adapters managed by
-zcrypt and zcrypt's AP bus attributes. Displayed information depends on the
+zcrypt and the AP bus attributes of zcrypt. Displayed information depends on the
kernel version.
.B lszcrypt
-requires that the sysfs filesystem is mounted.
+requires that sysfs is mounted.
.P
-The following information can be displayed for each cryptographic adapter: card
-type, online status, hardware card type, hardware queue depth, and request
-count. The following AP bus attributes can be displayed: AP domain,
-configuration timer, poll thread status, poll timeout, and AP interrupt status.
+The following information can be displayed for each cryptographic
+adapter: card type (symbolic), online status, hardware card
+type (numeric), installed function facilities, card capability, hardware
+queue depth, request count, number of requests in hardware queue, and
+the number of outstanding requests.
+The following AP bus attributes can be displayed: AP domain,
+configuration timer, poll thread status, poll timeout, and AP interrupt
+status.
.SH OPTIONS
.TP 8
.B -V, --verbose
-Increase verbose level for cryptographic adapter information. Maximum verbose
-level is two. At verbose level one card type and online status are displayed.
-At verbose level two card type, online status, hardware card type, hardware
-queue depth, and request count are displayed.
+Increases the verbose level for cryptographic adapter information.
+The maximum verbose level is three. At verbose level one card type
+and online status are displayed. At verbose level two card type,
+online status, hardware card type, hardware queue depth, and
+request count are displayed. At verbose level three card type,
+online status, hardware card type, hardware queue depth,
+request count, pending request queue count, outstanding
+request queue count, and installed function facilities are displayed.
.TP 8
.B <device id>
-Specifies a cryptographic adapter which will be displayed. A cryptographic
+Specifies a cryptographic adapter to display. A cryptographic
adapter can be specified either in decimal or hexadecimal notation using
a '0x' prefix. If no adapters are specified information about all available
-adapters will be displayed.
+adapters is displayed.
.TP 8
.B -b, --bus
-Show AP bus attributes and exit.
+Displays the AP bus attributes and exits.
+.TP 8
+.B -c, --capability <device id>
+Shows the capabilities of a cryptographic adapter of hardware type 6 or
+higher. The capabilities of a cryptographic adapter depend on the card
+type and the installed function facilities. A cryptographic adapter can
+provide one or more of the following capabilities:
+.RS
+.IP "o" 3
+RSA 2K Clear Key
+.IP "o"
+RSA 4K Clear Key
+.IP "o"
+CCA Secure Key
+.IP "o"
+Long RNG
+.RE
.TP 8
.B -h, --help
-Print help text and exit.
+Displays help text and exits.
.TP 8
.B -v, --version
-Print version information and exit.
+Displays version information and exits.
.SH EXAMPLES
.TP
.B lszcrypt -V
-Will display card type and online status of all available cryptographic
+Displays card type and online status of all available cryptographic
adapters.
.TP
.B lszcrypt -VV 0 1 10 12
-Will display card type, online status, hardware card type, hardware queue
-depth, and request count for cryptographic adapters in decimal notation 0, 1,
-10, and 12.
+Displays the card type in hexadecimal notation, online status,
+hardware card type, hardware queue depth, and request count for
+cryptographic adapters 0, 1, 10, and 12 in decimal notation.
+.TP
+.B lszcrypt -VVV 3 7 11
+Displays the card ID and the installed function facility in
+hexadecimal notation, as well as card type, online status, hardware
+card type, hardware queue depth, request count, pending request
+queue count, and outstanding request queue count for cryptographic
+adapters 3, 7, and 11 in decimal notation.
.TP
.B lszcrypt -b
-Will display AP bus information.
+Displays AP bus information.
+.TP
+.B lszcrypt -c 7
+.RS
+.br
+Coprocessor card07 provides capability for:
+.br
+CCA Secure Key
+.br
+RSA 4K Clear Key
+.br
+Long RNG
+.RE
.SH SEE ALSO
\fBchzcrypt\fR(8)
.SH AUTHOR
